Koobface on Facebook: How malicious contents sneak into social networking
Mohammad Reza Faghani
Outline
Introduction
Trend of Web malware
Social networks malware
What is XSS !?
Potentials of XSS Worms
Social Networks
XSS worm propagation
ClickJacking malware propagation
Trojan malware propagation
Summarizing the results from various studies
Recent study results
Our proposed scheme for malware detection
Conclusion
Introduction
Four key threats to consider
Spam
Bugs
Denial of Service
Malicious Software (malware)
Propagate via Spam Viruses, Worms, Trojans, SpyWare Exploits bugs ScareWare, …
Mount DOS
Introduction (cont.)
Why is malware so important to study?
Privacy and security issues
Cyber War
Stuxnet, Predator Drone
ISPs struggle under virus generated traffic
Cyber Criminals make a lot of money
Hidden costs
Reputation Introduction (cont.)
Malware is propagated via
P2P networks
Vulnerable OS services
Mobile phones
Web
Can even be Hybrid Trends of Web malware
Web malware
Most people frequently use Web
Population of the victims are much larger than other types of malware.
Social networks are popular among people
No barriers for web users
Malware writers prefer to exploit Web users Suppose each active user has on average 80% of web servers have critical vulnerabilities such as XSS (will128kbps discuss of bandwidth,XSS later) potential of 10 percent of active users is : Aggregated traffic80Mx128kbps= of the web 10 users’ Tbps browser would be huge Social networks malware
Samy could affect 1200000 over 1 million people Code Red I 1000000 1000000 Code Red II in less that 20 hours. Slammer 800000 Blaster MySpace was the Samy first but : 600000
Sina, July 2011 400000 359000 336000 275000 FB on March 29, 2011 200000 ClickJacking types 55000
Almost everyday 0
Twitter on Sep. 2010
…
Propagation of a Malware Why studying malware ?
To have a better understanding of propagation behaviors
Damage assessment
Providing enough traffic to avoid Denial of Service
Detecting the weaknesses of spreading
How we can counter-measure in the best way
Social networks malware
We can consider three main types of social networks malware attacks:
XSS worms
e.g. Samy
Trojans
e.g. Koobface
ClickJacking types
Forced like
Can lead to DriveByDownloads malware What is XSS !?
Cross Site Scripting (XSS) is a common vulnerability in web applications.
Has two types:
Reflected
Stored Reflected XSS
Application reflects exactly what it gets from the user.
user may inject a harmful script Stored XSS
Attacker stores a harmful script in the application database for further exploitation.
Comments
Forum talks
FB Wall XSS + AJAX = w0rm
XSS threat becomes more noticeable due to the combination of HTML and AJAX technology.
AJAX allows browsers to issue HTTP requests on behalf of the user.
No need for the attacker to deceive the victim to click on a special crafted link!
XSS worm propagation
XSS worm propagation consists of the following two steps:
Download
A visitor downloads (views) an infected profile and automatically executes the JavaScript payload.
Propagation
The payload is extracted from the contents of the profile being viewed and then added to the viewer’s profile. ClickJacking Worm Propagation
Unwittingly clicking on a hidden like button
and more friends get infected… Trojan Propagation
Then they post a similar link on the victim’s profile or send private messages to friends of the victim containing the malicious link.
Sometimes, they ask you to download the appropriate decoder to play the movie, which is indeed the Trojan itself. Research on OSN malware
Three main papers on OSN malware propagation (in chronological order):
[1] Faghani M. R., Saidi H., “Malware Propagation in Online Social networks”, Malware09, Montreal, 2009.
[2] W. Xu, F. Zhang, and S. Zhu., “Toward worm detection in online social networks”, (ACSAC), 2010.
[3] Guanhua Y., Guanling . And et al. , “Malware Propagation in Online Social Networks: Nature, Dynamics, and Defense Implications, (ASIACCS'11), March 2011.
Result Summary (from simulations)
Social network structure itself slows down the worm propagation.
10000 9000
8000 Random (q=0.9) Small World (q=0.9) 7000
6000
5000
4000
3000
Total Number of Infected profiles 2000
1000
0.5 1 1.5 2 2.5 3 5 Number of Visits x 10 Result summary (cont.)
User activities play an important role. 10000 9000 q=1 8000 q=0.9 q=0.7 7000 q=0.5 q=0.3 6000 q=0.1
5000
4000
3000
Total Numer of Infected profiles 2000
1000
0.5 1 1.5 2 2.5 3 3.5 4 5 NumberNumbe of Visitsvisits x 10 Result summary (cont.)
Trojan type spreads faster than XSS
10000
9000
8000 XSS Koobface, p=0.5 7000 Koobface, p=0.7
6000
5000
4000
3000
Total Number of Infected profiles 2000
1000
0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 4 Times in minutes x 10 Result summary (cont.)
Effect of Clustering coefficient is linear 5 x 10 1.75
1.7
1.65
1.6
1.55
1.5 Time required to have the whole population infected 0.1 0.105 0.11 0.115 0.12 0.125 0.13 0.135 0.14 0.145 0.15 Clustering Coefficent Result summary (cont.)
Effect of Infection Probability is exponential 5 x 10 10
9
8
7
6
5
4
3
2
Time required to have the whole population infected 1 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Probability of Executing the malware Recent Results (1)
Considering cliques
Those who have common interests create a group. 10000 A1 w ith 1 Clique 9000 C w ith 1 Clique A1 w ith 2 Cliques 8000 C w ith 2 Cliques 7000 6000
5000
4000
3000 Total Number of Infected
2000
1000
0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 5 Total Number of Visits x 10 Recent Results (2)
Considering overlapping cliques:
10000
9000 2 Cliques + 1 Common Clique 3 Cliques 8000 3 Cliques + 1 Common Clique 4 Cliques 7000
6000
5000
4000
3000 Total Number of Infected
2000
1000
0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 5 Total Number of Visits x 10 Proposed Defense System
Identify big cliques
Among them distinguish those users who are connected to different cliques.
Implement decoy friends or other detection mechanisms to detect malicious behaviors.
It is more efficient than current Facebook classifier system. Conclusion
User relationship structure plays an important role in malware propagation.
User activities affect speed of propagation.
Propagation of XSS types is slower than that of Trojan types.
A new defense mechanism can be built using OSN graph topology. Acknowledgement
Thank you
Any Question ?